Voter rolls are not a retail commodity.

Beginning with the DNC hack in spring of 2016, it dawned on me (maybe I’m slow to the party, but eventually it clicks) that the retail market in voter registration databases is a bad idea. That’s been highlighted in the last few weeks by Kris Kobach’s ill-fated attempt to federalize voter information in a searchable facility. This was one of the key take-aways from the recent Time article on that chillingly describes how access to voter registration can be used to disrupt elections without ever touching one of those insecure DRE voting machines.
I even worked out a threat scenario and circulated it to some friends who agreed (1) it is plausible, and (2) it is not obviously illegal. You can see why if you follow the complicated trail in Guardian article.  Or if you just look at what the people creating the market in your voting data say about it:
Notes for a 2016 Democratic Campaign
Eric Schmidt
April 2014

Key is the development of a single record for a voter that aggregates all that is known about them.  In 2016 smart phones will be used to identify, meet, and update profiles on the voter.  A dynamic volunteer can easily speak with a voter and, with their email or other digital handle, get the voter videos and other answers to areas they care about (“the benefits of ACA to you” etc.)

The point is to be able to create dashboard, accurate to the individual vote level, that is predictive of future voter behavior.  Civis Analytics is one such company:

Civis Analytics, a company founded by the chief analytics officer of Barack Obama’s 2012 re-election campaign, has raised $22 million in Series A funding.

 

civis_media_optimizer

I’m not happy there’s a market in voter data, but I am even less happy that political parties, market analysts, and election owners do not seem to understand the significance of unauthorized access.  Unless there is a statute to the contrary, trading and in this kind of information is no more serious than buying and selling grocery store loyalty data.

I want the voter data market to be regulated. There is no consensus around this topic, but I am convinced this is a security hole big enough to drive a truck through.  I have friends who disagree, saying transparency in voter roles is important to prevent vote buying/trading, voter intimidation, and other problems.  Agreed, but that’s a long way from giving tacit approval to monetizing my contact and other personal information.

[As a side note:  I am baffled that my NRA-supporting friends have not been as up in arms (get it?) about this as they have about federal gun ownership registries.]

Regulation of this market, like many in the information age, will be messy.  Just look at how colleges and universities wrap themselves around the axle to comply with FERPA-mandated protection of student data, for example.  But that does not mean it should not be done.  At the very least, regulation can force information aggregators like the DNC and the RNC to provide safeguards to deter the sort of casual intrusion marking the 2016 election.

 

When it comes to election hacking, low tech is cheaper and better

Georgia Secretary of State Brian Kemp is often quoted as skeptical about the threat of web-based attacks on the State’s computerized voting systems. The Secretary makes many such pronouncements, but he also professes to know few details of the underlying technologies.  I suspect that Kemp’s knowledge base concerning such matters will disappear completely with the recently announced firing of Merle King and the incident-prone Center for Election Systems at Kennesaw State University. It was King who famously introduced the (incorrect) idea that Georgia’s voting machines were “air-gapped,” a measure that–even if true–would have little impact on the end-to-end security of the elections system.

When it comes to election hacking, low tech is always cheaper and, in most cases, it is much better.

I have already  previewed some of the main vulnerabilities here, here, and here, but will have a lot more to say in the next few days about high-tech vulnerabilities.  I want to use today’s post to point out that no self-respecting spy/hacker would resort to such exotic measures without first trying much less risky (and far less expensive) ways of hacking an election.

The human element is always the first choice in espionage.

Human espionage is an ancient art; in fact, it has even been called the oldest profession. Unfortunately, espionage is still alive and well in today’s post Cold War environment. If anything, it is even more rampant. Events in the news remind us of this, such as the recent arrests of two Lucent Technologies employees, and a catering employee of MasterCard International for the theft of trade secrets. Throughout history and in current times efforts to identify indicators of espionage have been made. Unfortunately these efforts have met with limited success. In every instance of espionage, the person involved had access to information. Understanding this, and the fact we have the ability to control access to computer file systems, is critical to protecting information

I will give just one of many examples that Russian election hackers are certain to know well.  The U.S. government spends hundreds of millions of dollars on encryption technology aimed at thwarting even the most well-funded adversaries. This is one of the oldest ideas in information and communications security.  It dates from the British cracking of German Enigma codes in World War II. The idea behind encryption security is that there should be a concrete price for technology that can be used to crack a code. For the British, that price was the cost of mounting the deciphering unit at Bletchley Park.

For modern hackers, the price tag is the cost of building a deciphering super computer. Those costs have soared over the last 25 years. In the 1980’s, a $20 million supercomputer would have been sufficient to hack into all but the most highly sophisticated encrypted communications. But it is an arms race, and today only National intelligence services and a few non-state actors are able to invest upwards of $500 million annually to reliably decrypt enemy communications.

One reason for this shift in strategy is that the most damaging breaches in history have been ridiculously easy to mount, and not all that expensive. Six million dollars would have done it.  That was the total price tag for turning CIA intelligence officer Alrich Ames ($2.5M), FBI agent Robert Hanssen ($1.4M), U.S. Navy communications officer John Anthony Walker ($1M), and intelligence analyst Jonathan Pollard (a bargain at $50,000), all of whom became spies for foreign powers. Edward Snowden and Chelsea Manning, get thrown in for free.

I mention this point only because, among Logan Lamb’s and Chris Grayson’s discoveries when they stumbled into the unprotected servers at Kennesaw State, were files containing election day passwords. Brian Kemp claims the files were enrypted and password protected.  Lamb and Grayson say no, and the the directories that I have seen myself back up the Lamb and Grayson accounts.

Either Kemp knows this and is simply lying to the public, or (more likely than not) he is ill-informed about what was going on the the Kennesaw operation.

Either way, why would a Russian attacker go through the trouble of mounting a web-based attack on voting machines when Georgia’s election officials simply handed over the election day keys to voting systems?

 

 

30 Reasons (Part 3) to believe that Georgia’s computerized voting system may not be as secure as election officials claim

Reasons 1-10 are here, and 11-20 can be found here.

These are reasons 21-30:

  1. Georgia election officials consistently misstate operating characteristics and functionality of the computerized election system.  These misstatements are designed to convey an impression that the system has security and recovery features that, in fact do not exist. For example, in sworn testimony before Fulton County Judge Adams, the  Fulton County chief election administrator claimed under cross-examination that Accuvote TS voting machines maintain a voter verified trail because an image of the voter’s ballot is stored in memory. Unsupported claims of isolation, multi-layered protection and proper user authentication abound in statements from election officials.
  2. Election officials raise problems with alternative methods of verifying votes, where none exist.  Richard Barron (Fulton County administrator) for example, claimed that paper ballot counts have 5% error rates (and are therefore at least as error-prone as any method of counting votes).  There have been scientific studies of this matter. Barron is off by an order of magnitude.  Proper hand counting methods have error rate up to 0.5% and even low-cost methods have error rates of only 2%.
  3. Physical security  of devices and chain of custody are important to election security in Georgia, and the use of tamper-proof seals is often cited as an important link in the security chain. Not only are tamper-proof seals of the type used in Georgia readily online, election workers often break the seals and re-seal devices without prior authorization.  That type of breach for example might be prompted by a desire to check a machine for damage as was observed by independent 3rd parties during the June 20 runoff.
  4. According to CES Executive Director Merle King, Georgia’s computerized voting systems use a version of Windows that dates from the early 2000 and is unpatched and unsupported by Microsoft. Unpatched operating systems are vulnerable to malware of all type and significantly increase the likelihood of successful hacks.
  5. There has never been an independent security evaluation of Georgia’s computerized election system.
  6. Georgia’s election officials have never looked to see whether their systems have been hacked. Despite claims to the contrary, no one in CES or the Secretary of State’s Office has actually checked to see whether the election system has been hacked.  This includes the immediate aftermath of the CES break-in, during which it would have been appropriate to see whether malware had been introduced or the systems had otherwise been compromised.  A representative from the US Department of Homeland Security  testified to the Senate Intelligence Committee that DHS has not conducted such an analysis either.
  7. CES Executive Director has stated publicly that CES scrounges for used and reconditioned equipment to replace its aging components.   Information about information assurance measures for these devices has not been released.  Nor does CES have any idea about whether these parts have ever been connected to the Internet.
  8. Secretary of State Brian Kemp was one of the few secretaries of state objecting to DHS offer in 2016 to designate election systems as critical national infrastructure, which would have dramatically increased the security-related resources available to the state. In fact, Kemp used the occasion to pick a fight with DHS by accusing the agency of a “massive attack” on Georgia’s systems.  That accusation was refuted thoroughly by DHS Inspector General in an open letter.
  9. Secretary of State Brian Kemp issues dismissive statements to the press, but has yet to respond to this letter or this letter about Georgia’s system security posed by a group of distinguished computer scientists.  These questions were designed to increase the public confidence in the security of the underlying system.
  10. The premise underlying Georgia’s approach to paperless DRE voting systems was undermined in 2003, shortly after the implementation of HAVA and the chartering of the Election Assistance Commission (EAC), when the National Institute of Standards  (NIST) was asked to formulate the alternatives to a voter verified paper trail.  NIST in turn chartered the Auditability Working Group to conduct an exhaustive study.  The 2011 report of the NIST Working Group rejected the very idea of paperless voting. The report begins with the main conclusion: AWG Conclusions In other words, the paperless system in use in Georgia is, by design, perfectly engineered to incorporate a fatal flaw: there is always the possibility of undetectable errors in the recording of vote. The NIST study means that the high confidence expressed by election officials in the security of Georgia’s computerized voting system has no scientific basis.

30 Reasons (Part 2) to believe that Georgia’s computerized voting system may not be as secure as election officials claim

See Part 1 for Reasons 1-10.  Here are reasons 11-20.

  1. Despite repeated assurances that voting machines are never connected to the Internet, Logan Lamb watches a video on the CES website that instructs poll workers (and demonstrates) how to insert PCMCIA memory cards into Internet connected computers to load them with ballots and other election-related information.  Poll workers are instructed to insert those cards into a port on Diebold Accuvote TS voting machines on election day.  This establishes a connection between the voting machines and the Internet that would allow their exposure to malware.
  2. Despite assurances that voting machines cannot be tampered with because they are under the secure, continual physical control of election officials at all times, numerous voters observe the following

    unattended voting machines in hallways of public buildings. The receipt shows that the recipient has not signed for these machines and the machines are accessible to anyone.

  3. Despite repeated assurances that election security is a priority for Georgia elections, an internal Kennesaw State University audit of the Lamb-Grayson breach, concludes that there was “poor understanding” of the risk posed by CES.
  4. Missing ballots are nothing new in Georgia elections.  Reports surface every election cycle about votes that are cast on computerized voting equipment that are never recorded.  These range from anecdotes about touchscreen presses that are reversed by the time the summary screen is presented to the voter to legal challenges mounted by candidates (like this one). Georgia’s Secretary of State makes challenges based on illegal tampering even more complex because he has been on a crusade to reduce the size of voter rolls in the state.  Nevertheless, election night analysis continues to show that flipping votes on DRE type voting machines is a real risk. Tally records confirm missing ballots:
  5. It may seem like sour grapes for losing candidates to complain about election night anomalies, but Georgia seems to have more than its fair share of surprises like that. In 2002, for example, Diebold’s voting machines reported the defeat of Democratic senator Max Cleland. Early polls had given the highly popular Cleland a solid lead over his Republican opponent, Saxby Chambliss. Two days before the election, a Zogby poll gave Chambliss a one-point lead among likely voters, while the Atlanta Journal-Constitution reported that Cleland maintained a three-point advantage with the same group. Cleland lost by seven points. In the month leading up to the election, Diebold employees, led by Bob Urosevich, applied a mysterious, uncertified software patch to 5,000 voting machines that Georgia had purchased in May. Popular Governor Roy Barnes lost to Sonny Perdue by somehow blowing an 11 point lead on the eve of the election, and voter turnout anomalies like the one below led many to question the validity of the June 20 election in the 6th District.
  6. Voter rolls have become a favorite target of election hacks, so when it was reported that five electronic poll books were stolen before the April special election, it caught the eye of cyber security professionals already concerned about the integrity of Georgia elections.  The theft was not reported until the eve of the Special Election, and the stolen machines were subsequently found in a dumpster. (Note added July 9: Initial press reports were misleading.  They were not found in a dumpster. Later reporting said that the police took the word of the alleged thief  that he threw them away.  Officials did not think it was worth it to try to recover them.  Interestingly enough Secretary of State Brian Kemp threw a party for the police who did not recover the missing poll books).
  7. Since there were many opportunities for hackers to modify contact information, it is not surprising that voters were turned away from legitimate polling centers:
  8. Or directed to alternative centers because of an unusually large number of simultaneous renovations to existing centers, thus depressing voter turnout:
  9. Vague descriptions of what exactly constitutes Georgia’s computerized voting system are useful to deflect questions about what components are certified by whom.  A citizens’ request that SoS produce active, valid certifications for the entire system was denied.
  10. SoS Brian Kemp in published op-ed pieces is openly dismissive of threats to election systems.  In particular, he dismisses the threat of Russian hacking as “fake news,” making it difficult to balance threats, vulnerabilities, and security measures.  Kemp often declares Georgia’s systems to be absolutely secure, but that is not a great feat if you do not acknowledge any threats.

#protectGAvote and special thanks to Lady Liberty Votes for visual examples..

30 Reasons to believe that Georgia’s computerized voting system may not be as secure as election officials claim, Part 1

  1. An internal analysis by the vendor says the machines are vulnerable to vote changing.
  2. Data breach in the Secretary of State’s office exposes 6M+ names and personal information of Georgia voters to media outlets and political party offices.
  3. Secretary of State Karen Handel ignores recommendations for beefing up voting system
  4. The same voting machines used in Georgia are successfully and repeatedly attacked.
  5. In a realistic test, Washington DC voting system is hacked: in 48 hours all of the election results were undetectably changed.
  6. A walkthrough of The Center for Election System at Kennesaw State University (which programs, tests, and maintains the State’s 27,000 voting machines) shows shocking lapses of physical security.
  7. Cyber security researcher Logan Lamb stumbles into 15GB of sensitive documents that were externally accessible, already indexed by Google. Files included election day passwords, GEMS databases. training videos, and executable files. CES managers warn Lamb to avoid talking to the media or risk being “crushed by powerful people downtown.”
  8. CES promises to fix the problem, but 6 months later cyber security researcher Chris Grayson finds that the files are still exposed to the Internet.
  9. Despite assurances that CES is not connected to the public Internet, an internal Kennesaw State audit of the Lamb-Grayson breach find an unlocked data closet at CES wih a public access port to the Internet.
  10. Despite assurances that CES is not connected to the public Internet, an internal Kennesaw State audit of the Lamb-Grayson breach finds an unauthorized wireless acccess point on premises, providing a channel from internal CES systems to the public Internet.

 

Georgia Sec. of State does not want DHS to designate election systems as critical infrastructure. Here’s why.

Georgia’s election officials were all bent out of shape last fall when the US Department of Homeland Security (DHS) wanted to designate American election infrastructure as critical to national security.  As Sec. of State Brian Kemp explained in his recent USA Today op-ed, it’s really just a matter of state sovereignty.  We don’t want the federal government telling us how to run our elections, is what Kemp is telling Georgians. In fact, he thinks so little of DHS, he wants you to believe the federal government (ours, not Russia’s) is the one hacking Georgia’s election system in a “massive attack,” according to a complaint filed by Kemp’s office last January.

The Inspector General of DHS investigated Kemp’s allegations and found to the Secretary’s embarrassment that what he had characterized as a massive attack, was actually normal web traffic. Never mind murmured Kemp.

A more likely explanation for the critical infrastructure freak-out is that the Secretary of State’s office treats the protection of computerized election system like a high school science fair project, not a precious resource to be protected. Wouldn’t that be embarrassing if the Feds showed up to check on his ability to manage critical infrastructure?

Way back in the early days of electronic voting in Georgia, then SoS Cathy Cox, a Democrat,  set up the Center for Election Systems (CES) at Kennesaw State University to test, program, maintain and provide training for the Diebold-based touchscreen voting machines and associated servers, networks, and software.

CES Director Michael Barnes served as an enthusiastic tour guide to the Atlanta Journal and Constitution, which posted this video on YouTube™

A well-positioned sign announced the state’s central technology organization, helpfully displaying its precise location.  No guards or even a receptionist to check the identities of visitors; no ID badges to distinguish students who were authorized to be there from those who merely wanted to examine the piles of election equipment and computers that had been left unattended in otherwise unsupervised rooms.

You would think that an important system like this would have the eye of top university leadership.  Director Barnes says no. CES is just another department in the school of science.

The most likely explanation for the Secretary’s over-the-top reaction to the suggestion that Georgia’s election system be classified as critical infrastructure is that the state’s election officials do not think it is that important, and they would prefer that not be widely known.

#protectGAvote

 

 

Your daily data breach: 200 million voter records exposed, including contact information and voting preferences

Today’s announcement from Upguard that

the data, which was stored in a publicly accessible cloud server owned by Republican data firm Deep Root Analytics, included 1.1 terabytes of entirely unsecured personal information compiled by DRA and at least two other Republican contractors

This makes it the largest breach of its kind.

Gizmodo reports that

Deep Root’s server was discovered by UpGuard’s [Chris] Vickery on the night of June 12 as he was searching for data publicly accessible on Amazon’s cloud service. He used the same process last month to detect sensitive files tied to a US Defense Department project and exposed by an employee of a top defense contractor.

It is now becoming clear that the network of voter databases allow well funded actors to combine information from various sources.  Someone with bad intentions can piece together enough information to interfere and disrupt elections.

Political operations might view such databases as easily commoditized marketing data that can be discarded after an election. A hacker, on the other hand, might take a longer view, realizing the damage to be done in misusing knowledge of voting patterns.

#protectGAvote